473,320 Members | 2,027 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

escaping before inserts - get_magic_quotes_gpc


Folks,

This questions is directed towards PHP/MySQL folk and relates to escaping
hooks, apostraphe's and other characters that can create a security hole
when writing to databases/files. I've been reading
http://ca2.php.net/manual/en/functio...quotes-gpc.php and just need
to confirm a couple of things:

If I have magic_quotes_gpc on, and I use addslashes() - Does this in effect
cause me to take security one step forward, and then back again? I mean, if
magic_quotes_gpc is on, it will escape all my data before writing it to the
database - But if I also use addslashes() will it not escape the escapes put
in by magic_quotes_gpc?

When I perform a SELECT at the moment, the data that contains special
characters is being returned with a backslash... This is wrong, correct?
Because a properly escaped character should be stored without the backslash,
true? Thus this means my quotes, or double quotes should be stored in my
table, and the quotes should not be preceeded by the backslash character as
part of the returned string from my SELECT.

How can I test that I am storing my data properly? (Thus, how can I perform
a friendly attack on my database through my client HTML forms). I've tried
`/bin/ls -l > /tmp/rd1` but this does not create a temp file in my temp
directory - Thus, does this mean I have myself secure against this sort of
common hack attack?

All help, via the newsgroup, is much appreciated,
Thanks
Randell D.
Jul 19 '05 #1
0 1137

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Reply Via Newsgroup Thanks | last post by:
Folks, This questions is directed towards PHP/MySQL folk and relates to escaping hooks, apostraphe's and other characters that can create a security hole when writing to databases/files. I've...
0
by: Hal Halloway | last post by:
If I uncomment the code with "mysql_real_escape_string" the update does not work. I thought it's pretty "safe" code. What could be wrong? i just upgraded to PHP5 if that's a factor - not sure...but...
11
by: Dave Smithz | last post by:
Having adopted someone else's PHP cope and completing a crash course in the language I came across a (probably common) problem with the current code. On a registration form, whenever users names...
4
by: Dave Moore | last post by:
Hi All, Can anybody point me to a FAQ or similar that describes what all this stuff is about please?. I'm interfacing with a MySQL database if that's relavent. I've read a couple of books which...
14
by: Ian Rastall | last post by:
Sorry for the double question. I'm having a terrible time figuring out how to escape apostrophes in my mySQL database. Perhaps they have to be escaped in the PHP, using mysql_real_escape_string? ...
5
by: bobbyballgame | last post by:
I am having a problem calling Stored Procedures: .... dim MyValue, MyOtherValue MyValue = "Bobby's value" MyOtherValue = Bobby's other value" rs.Open "exec MyStoredProc """ & MyValue &...
11
by: Geoff Caplan | last post by:
Hi folks, The thread on injection attacks was very instructive, but seemed to run out of steam at an interesting point. Now you guys have kindly educated me about the real nature of the issues,...
3
by: Taras_96 | last post by:
Hi everyone, I'm having a bit of trouble understanding the purpose of escaping nulls, and the use of addcslashes. Firstly, the manual states that: "Strictly speaking, MySQL requires only...
1
by: David Henderson | last post by:
I know 'disable-output-escaping' has been discussed in the past, but I can't put my finger on any of the threads to see if my current problem is addressed. Sorry for re-asking the question if it...
4
by: wizardry | last post by:
hello - i've created a form that has multiple inserts. it inserts the data fine if i manually parse the data to it but when i use the form to test the inserts it errors out. it errors out at...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.